This was addressed in bionic in
https://launchpad.net/ubuntu/+source/ark/4:17.12.3-0ubuntu1.1 and focal
in https://launchpad.net/ubuntu/+source/ark/4:19.12.3-0ubuntu1.1, and
covered in USN 4461-1.
Thanks for preparing the updates and helping to protect users,
vishnunaini!
** Changed in: ark (Ubun
** Also affects: ark (Ubuntu Bionic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672
Title:
KDE Project Security Advisory: Ark: maliciously crafted
Code went through a major refactor after xenial to integrate with
updated Qt. See https://phabricator.kde.org/T2704
The refactor for this function was
-void Job::onEntry(const ArchiveEntry & archiveEntry)
+void Job::onEntry(Archive::Entry *entry)
{
-emit newEntry(archiveEntry);
+emit new
** Attachment removed: "ark_fix_test.png"
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+attachment/5399333/+files/ark_fix_test.png
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to ark in Ubuntu.
https://bugs.launchpad.net/bug
vishnunaini, thanks for testing and the pointer to the reproducer.
I also went ahead and carried back the patch to bionic's ark as well,
and have uploaded it to the same ppa.
For xenial, the patch fails to apply because the passed archive entry
type is different, and it was not clear to me whethe
I have tested steve's focal build from security-proposed and was able to
succesfully validate the fix i.e. warning for the PoC.
I have attached a screenshot of the warning when trying to open the PoC
** Attachment added: "ark_fix_test.png"
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1
Upstream has included the below test archive in the original advisory.
Upon trying to open the test archive in ark, a warning will show below
the menu bar.
Proof of concept
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/re
Thanks for preparing the debdiff and adding the ubuntu-security-sponsors
account; I'll be taking a look at this.
I've pushed the focal version to the ubuntu security proposed ppa
(https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa)
after adjusting the version to match the versioni
** Changed in: ark (Ubuntu Focal)
Assignee: (unassigned) => Steve Beattie (sbeattie)
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to ark in Ubuntu.
https://bugs.launchpad.net/bugs/1889672
Title:
KDE Project Security Advisory: Ark: mal
thx for quick response and explanation!
(to exclude an error on my side I made some research and learned a lot
about the "apt-get" update process)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672
Rik only pushed an update for 20.10 Beta i.e groovy as he only has
access to the development version.
For the LTS release 20.04, the patch has not been released as it can
only be pushed by the Ubuntu security team or the release sponsors team.
I have just now added the ubuntu-security sponsors to
Sorry, but I could not get the update by using apt-get update & upgrade
http://archive.ubuntu.com/ubuntu/dists/focal-updates/universe/binary-
amd64/Packages.gz
and
http://archive.ubuntu.com/ubuntu/dists/focal-updates/universe/binary-
amd64/Packages.xz
does not announce the update...
--
You re
This bug was fixed in the package ark - 4:20.04.3-1
---
ark (4:20.04.3-1) unstable; urgency=medium
* Team upload.
* New upstream release.
* Backport upstream commit 0df592524fed305d6fbe74ddf8a196bc9ffdb92f to fix
vulnerability to path traversal attacks (CVE-2020-16116); patc
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16116
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672
Title:
KDE Project Security Advisory: Ark: maliciously crafted archive c
The attachment "debdiff/patch for focal. Directly backportable to
earlier variants" seems to be a debdiff. The ubuntu-sponsors team has
been subscribed to the bug report so that they can review and hopefully
sponsor the debdiff. If the attachment isn't a patch, please remove the
"patch" flag from
** Also affects: ark (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: ark (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: ark (Ubuntu Groovy)
Status: New => In Progress
** Changed in: ark (Ubuntu Groovy)
Importance: Undecided => Hig
16 matches
Mail list logo